CVE-2025-26599

Name	CVE-2025-26599
Description	An access to an uninitialized pointer flaw was found in X.Org and Xwayland. The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without validating the window tree marked just before, which leaves the validated data partly initialized and the use of an uninitialized pointer later.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4072-1, DSA-5872-1
Debian Bugs	1098906, 1098907

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
xorg-server (PTS)	bullseye	2:1.20.11-1+deb11u13	vulnerable
	bullseye (security)	2:1.20.11-1+deb11u17	fixed
	bookworm	2:21.1.7-3+deb12u10	fixed
	bookworm (security)	2:21.1.7-3+deb12u11	fixed
	trixie	2:21.1.16-1.3	fixed
	trixie (security)	2:21.1.16-1.3+deb13u1	fixed
	forky, sid	2:21.1.18-2	fixed
xwayland (PTS)	bookworm	2:22.1.9-1	vulnerable
	trixie	2:24.1.6-1	fixed
	forky, sid	2:24.1.8-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
xorg-server	source	bullseye	2:1.20.11-1+deb11u15	DLA-4072-1
xorg-server	source	bookworm	2:21.1.7-3+deb12u9	DSA-5872-1
xorg-server	source	(unstable)	2:21.1.16-1		1098906
xwayland	source	(unstable)	2:24.1.6-1		1098907

Notes

[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
https://lists.x.org/archives/xorg-announce/2025-February/003584.html
Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84bef2569b4ba4be59323cf575d1798ba9be
Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8bedb90b039dc0f70ae69daf047ff9598